Virgin Media admit customer data left unsecured

Virgin Media stress no passwords or financial details were included in the database which was used for marketing purposes.

They have blamed an incorrect configuration for the error which placed customer and potential customer details in an accessible location for 10 months.

The Information Commissioner's Office (ICO) has been made aware of the breach and Virgin has launched a forensic investigation.

Credit: Jevanto Productions/Shutterstock.com

Personal details

The marketing database may not have contained passwords or financial details, but there were still personal details in there that customers would not expect to be easily accessible.

For instance, email and home addresses were stored there, along with phone numbers and details of requests customers may have made via webforms. A small number of dates of birth records were stored there.

So, while customers aren't at risk of having their financial details stolen directly from the breach, the possibility for phishing attempts to be made using the personal information available on the database still exists.

Virgin Media has admitted the data was accessed at least once by an unknown user, although further details about this may be uncovered during their investigation.

Human error

The 900,000 people whose contact details were stored on the database were almost all Virgin Media customers taking television or fixed-line home phone services.

However, some Virgin Mobile customers were also listed, plus some potential customers referred by friends during a promotion were included too.

Virgin confirmed the breach was due to human error, with a member of staff failing to follow procedures and configure the database correctly.

Embarrassingly, though, it was a security research at TurgenSec who identified the problem rather than someone spotting it from within the Virgin Media team.

That the data was accessible since April 2019 is a major concern for Virgin and the resulting investigation should help to strengthen procedures as well as providing a warning to other major companies to safeguard customer data appropriately.

For Virgin, who are in the process of launching their Gig1 broadband in the West Midlands, it's a public embarrassment at a time when they were riding the wave of positive coverage.

Phishing dangers

Customers may well be concerned about their personal details being access by at least one unknown user, and the best advice for anyone affected is to remain vigilant.

Phishing scams, where fraudsters trick customers by pretending to be from a legitimate company, represent a real danger. There have been numerous warnings about phishing in recent years with HMRC highlighting a 360% increase in callers purporting to be from them in late 2018.

So, Virgin has reminded customers to hang up on any call they're suspicious of and to report it directly to them using a recognised number or contact form on the website. Similarly, they warned customers not to open emails they're uncertain about or to click on links.

They have also reiterated that they will never ask customers for sensitive details such as bank account numbers and sort codes over the phone or by email.

Tech companies dealing with data breach issues is unfortunately nothing new, and challenger bank Monzo asked customers to alter their PINs in August 2019 when encrypted data was stored in the wrong locations and were accessible by engineers without clearance.

Last week, it was revealed millions of Android smartphones in the UK were vulnerable to hacking because of a lack of security patch updates to certain versions of Android.